Zulip Security

Security basics

All Zulip clients (web, mobile, desktop, terminal, and integrations)
require TLS encryption and authentication over HTTPS for all data
transmission between clients and the server, both on LAN and the Internet.
Encryption-at-rest is available with Zulip on-premise, via hardware and
software disk encryption of the database and other data storage media.

Zulip’s on-premise offerings can be hosted entirely behind your firewall,
or even on an air-gapped network (disconnected from the Internet).

Every Zulip authenticated API endpoint has built in rate limiting to
prevent DoS attacks.

Connections from the Zulip servers to Active Directory/LDAP can be secured
with TLS. If Zulip is
deployed on multiple servers,
all connections between parts of the Zulip infrastructure can be secured
with TLS or SSH.

Message content can be
excluded from mobile push notifications,
to avoid displaying message content on locked mobile screens, and to
comply with strict compliance policies such as the USA’s HIPAA standards.

Zulip operates a HackerOne bug bounty program to reward hackers for
finding and responsibly reporting security vulnerabilities in Zulip. Our
completely open source codebase means
that HackerOne’s white-hat hackers can audit Zulip for potential security
issues with full access to the source code.

Configurable access control policies

Zulip supports private messages (to one or more individuals), private
streams with any number of subscribers, as well as public streams
available to all organization members. We also support guest accounts,
which only have access to a fixed set of streams, and announcement
streams, where only organization administrators can post.

Zulip provides many options for
managing who can join the organization,
supporting everything from open to the public (e.g. for open source
projects), to requiring an invitation to join, to having an email from a
list of domains, to being a member of a specific organization in
LDAP/Active Directory.

Users can rotate their accounts’ credentials, blocking further access from
any compromised Zulip credentials. With Zulip on-premise, server
administrators can additionally revoke and reset any user’s credentials.

Integrity and auditing

Zulip administrators can configure users’
ability to edit or delete messages,
and whether deleted messages are retained in the database or deleted
permanently. Zulip by default stores the complete history of all message
content on the platform, including edits and deletions, and all uploaded
files.

Zulip’s server logging has configurable log rotation policies and can be
used for an end-to-end history of system usage.

Zulip stores in its database a permanent long-term audit log containing
the history of important actions (e.g. changes to passwords, email
addresses, and stream subscriptions).

Zulip’s powerful data exports
(on-premise,
cloud) can be imported into third-party
tools for legal discovery and other compliance purposes. Zulip’s
enterprise offerings include support for integrating these with your
compliance tools.

Zulip supports GDPR and HIPAA compliance.

The little things

Many products talk about having great security and privacy practices, but
fall short in actually protecting their users due to buggy code or poor
operational practices.

Our focus on security goes beyond a feature checklist: it’s a point of
pride. Zulip founder Tim Abbott was previously the CTO of Ksplice, which
provided rebootless Linux kernel security updates for over 100,000
production servers (now the flagship feature of
Oracle Linux).

Here are some security practices we’re proud of, all of which are unusual in
the industry:

The Zulip server’s automated test suite has over 98% test coverage,
including 100% of Zulip’s API layer (responsible for parsing user input).
It is difficult to find any full-stack web application with as complete a
set of automated tests as Zulip.

Zulip’s python codebase is written entirely in
statically typed Python 3,
which automatically prevents a wide range of possible bugs.

All access to user data (messages, streams, uploaded files, etc.) in the
Zulip backend is through carefully-audited core libraries that validate
that the user who is making the request has access to that data.

Only a small handful of people have access to production servers or
to sensitive customer data.

Our error handling systems are have been designed from the beginning to
avoid including user message content in error reports, even in cases where
this makes debugging quite difficult (e.g. bugs in the message rendering
codebase).

Zulip has a carefully designed API surface area of only about 100 API
endpoints. For comparison, products of similar scope typically have
hundreds or even thousands of endpoints. Every new API endpoint is
personally reviewed for security and necessity by the system architect Tim
Abbott.

These security practices matter! Slack, the most popular SaaS team chat
provider, has needed to award
hundreds of bounties for security bugs found
by security researchers outside the company. This incredible number of
discovered vulnerabilities likely results from Slack not following secure
development practices (e.g. Slack uses a
famously insecure
programming language as the core language for their product).